Using DNS Logs As a Security Information Source

Posted on May 24th, 2013 in News by dglosser

Using DNS Logs As a Security Information Source :



Research Articles

Posted on September 26th, 2011 in News by dglosser

Occasionally this list is used as part of research into malware and domain security.   Please drop us a note if you find such a reference in an article or presentation; if you are the author, let us know.

Two papers we’ve become aware of:

Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games - http://www.cc.gatech.edu/~ynadji3/docs/pubs/gzaraid2011.pdf

A Demonstration of DNS3: a Semantic-Aware DNS Service – http://iswc2011.semanticweb.org/fileadmin/iswc/Papers/PostersDemos/iswc11pd_submission_106.pdf

Use Mirrors for downloading files

Posted on August 4th, 2011 in Domain News,mirror by dglosser

The zone and text files are ONLY be available from a mirror and are no longer be available
on the main site. All requests for files on www.malwaredomains.com will be directed to
our main mirror, mirror1.malwaredomains.com.


Posted on December 20th, 2010 in Domain News by dglosser

From byteninja.net:

MalNET serves as a low interaction HTTP server which responds with a ’200 OK’ for every request. When a malware attempts to retrieve http://bad.malwaredomain.com/som/bad/file.exe, MalNET basically says ‘yep, OK, here it is’ and then does nothing. To make this work you will need to run some sort of blackhole DNS setup in your environment such as the one on offer from malwaredomains.com. Once you have traffic redirected to your MalNET host, you should be able to see what the malware is trying to download.

Safe Browsing Alerts for Network Administrators

Posted on September 29th, 2010 in News by dglosser

From http://googleonlinesecurity.blogspot.com/2010/09/safe-browsing-alerts-for-network.html

Today, we’re happy to announce Google Safe Browsing Alerts for Network Administrators — an experimental tool which allows Autonomous System (AS) owners to receive early notifications for malicious content found on their networks. A single network or ISP can host hundreds or thousands of different websites. Although network administrators may not be responsible for running the websites themselves, they have an interest in the quality of the content being hosted on their networks. We’re hoping that with this additional level of information, administrators can help make the Internet safer by working with webmasters to remove malicious content and fix security vulnerabilities.

To get started, visit safebrowsingalerts.googlelabs.com.

Visualizing the Hosting Patterns of Modern Cybercriminals

Posted on September 25th, 2010 in Domain News by dglosser

Nice article on SANs:

Andrew Hunt – Visualizing the Hosting Patterns of Modern Cybercriminals

For example when seed data pulled from Malware Domains is correlated with passive DNS and ASN data, then visualized, it is possible to see how the majority of the authoritative nameservers are hosted in the same network block. This dependence indicates an investment by the aggressor into a particular hosting company and can provide an effective network-level block at relatively low cost. As always, be aware of potential collateral damage when blocking a network portion that may also contain legitimate IP hosting space.

Emerging Threats Sandnet

Posted on January 17th, 2008 in News by dglosser

The Emerging Threats Sandnet is back online!

This sandbox is one of the best sources of new, active  domains for the DNS-BH list as well as fresh snort signatures.

If you have any malware samples, links, spam, etc please send them to samples – at – emergingthreats(dot)net

Malware and ARP Spoofing

Posted on January 16th, 2008 in News by dglosser

Websense has an eye-opening writeup on how some malware is now using ARP cache-poisoning and making the infected machine into an HTTP proxy server. Poof! Your entire network is poisoned! Castlecops has a writeup from someone in China who has experienced this first hand: Machines which are declared clean by multiple AV products still suffer from the IFRAME. Yikes!

New Iframe exploits

Posted on January 11th, 2008 in Domain News,New Domains,Storm Worm by dglosser

Dancho Danchev.’s blog lists several domains full of exploits, using “comprehensive multiple IFRAMES loading campaigns”:

8v8 (dot) biz uc147 (dot) com 070808 (dot) net qx13 (dot) cn
sbb22 (dot) com uuzzvv (dot) com 55189 (dot) net 749571 (dot) com
jqxx (dot) org mm5208 (dot) com 68yu (dot) cn 2365 (dot) us
loveyoushipin (dot) com yun878 (dot) com xks08 (dot) com

In better news, shadowserver reports that the 17 Storm Worm domains including i-halifax.com and i-barclays.com, appears to have all been placed in a status of “NOT DELEGATED” over at nic.ru, preventing A records from being returned when looking up the domains. (Some of the other holiday-related Storm Worm domains still have their NS record.)